The New York Department of Financial Services (NYDFS) regulation 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companieswent into effect March 1, 2017. The regulations set substantive data security requirements for all financial institutions and while companies are not directed to implement all requirements together, some, as shown in the graphic below, are due within the 180 days. However, in order to create a successful program, companies should understand how each of these requirements informs the others.

What should I do first?

Once the countdown to 180 days starts, organizations will need to evaluate where their program currently stands and what tasks they will need to complete. Actions taken during this first 180 days will set the foundation for success and will help create the baseline of processes and procedures necessary for a successful and resilient cybersecurity program.

The first step is to designate a Chief Information Security Officer (CISO) or another qualified person, who may be an employee or a third party service provider, to oversee this process. The CISO, together with company executives, members of the Information Technology department and other stakeholders, will need to define the roles and responsibilities for cybersecurity.

The next step is to conduct an inventory of all assets and determine the criticality levels of each system. This inventory feeds into the risk assessment process which will identify the gaps in your company’s critical risk areas and determine how to close them. The assessment also sets boundaries and informs investment decisions to mitigate threats according to the level of risk and criticality of each system.

Once the risk assessment is complete, you can start creating your cybersecurity policies by referring to the fourteen areas set forth by the NYDFS. K2 Intelligence also recommends adding an independent mobility policy that covers mobile devices, telework, and remote network access.

Addressing access privileges should be next, after your cybersecurity policies are set. Best practices show that using the principle of least privilege is best. This process includes defining the kind of information with which your company deals, the groups of users who exist on the network, and determining what information is essential for each group to have access – and then authorizing them no more than this essential access.

The last step in your first 180 day plan is to develop an incident response plan which sets policies and defines an incident, codifies the roles and responsibilities during an incident, explains methodologies, and outlines the response phases (preparation, detection, containment, investigation, remediation, recovery, lessons learned).

Once these first steps are complete your company will have the foundation of a successful cybersecurity plan. The additional steps required in years one and two add more rigor to your cybersecurity posture with testing, monitoring, and access control mechanisms that provide assurances that your policies and procedures are working the way they were designed.